Tanium Client and Tanium Cloud requirements

Review the requirements before deploying the Tanium Client to endpoints. Additionally, review the specific requirements for the Tanium Cloud shared service before using it to monitor client health, manage client settings, or upgrade clients.

Endpoint Configuration is also installed as part of Tanium Cloud. Also review the Endpoint Configuration requirements before installing Tanium Cloud.

Client version and host system requirements

Table 1 lists the supported operating systems on endpoint host systems where you install the Tanium Client.

Hardware resource requirements vary based on the actions that you deploy to the endpoints. See Hardware requirements for baseline RAM and disk space requirements.

Some Tanium modules and shared services have additional requirements for the Tanium Client and endpoint hosts. Table 3 provides links to the user guide sections that list these requirements.

Windows endpoints must have the following root certificate authority (CA) certificates because they are required to verify the integrity of the Tanium Client binaries:
  • DigiCert Assured ID Root CA
    (thumbprint 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43)
  • DigiCert High Assurance EV Root CA
    (thumbprint 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25)
  • DigiCert SHA2 Assured ID CA
    (thumbprint E1:2D:2E:8D:47:B6:4F:46:9F:51:88:02:DF:BD:99:C0:D8:6D:3C:6A)
  • DigiCert SHA2 Assured ID Code Signing CA
    (thumbprint 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6)

For certificate downloads, see DigiCert: Download DigiCert root and intermediate certificates, and for more information about installing certificates, see DigiCert Support.

Supported operating systems

The following table lists supported operating systems and versions for Tanium™ Cloud and the versions of the Tanium Client that are supported for each OS version in Tanium™ Cloud. The Tanium Cloud service supports all listed OS versions.

Because Tanium Cloud requires Tanium Client 7.4 or later, some legacy operating systems are not supported. Tanium Cloud supports only the operating system versions and associated Tanium Client versions listed in the following table.

 Table 1: Supported OS versions for Tanium Client hosts
Operating system OS Version Available Executables Tanium Client Version Supported by Tanium Cloud Notes
Microsoft Windows Server
  • Windows Server 2022
  • Windows Server 2019 (currently supported releases in the Long-Term Servicing Channel and the last supported release in the Semi-Annual Channel)
  • Windows Server 2016
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 R2
 x86 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955

  • Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported.

  • Some Tanium sensors and packages require unrestricted access to Windows Management Instrumentation (WMI) queries, VBScript execution in Windows Script Host (WSH), and PowerShell. If you restrict any of these features on endpoints, Tanium functionality is limited.
  • PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows Server 2008 R2 for PowerShell-based sensors to work on those endpoints.
Microsoft Windows Workstation
  • Windows 11
  • Windows 10 (currently supported releases in both the Semi-Annual Channel and the Long-Term Servicing Channel)
  • Windows 8
  • Windows 7 (SP1)
 x86 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955

  • Some Tanium sensors and packages require unrestricted access to Windows Management Instrumentation (WMI) queries, VBScript execution in Windows Script Host (WSH), and PowerShell. If you restrict any of these features on endpoints, Tanium functionality is limited.

  • PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows 7 for PowerShell-based sensors to work on those endpoints.
macOS
  • macOS 13 Ventura
  • macOS 12 Monterey
  • macOS 11 Big Sur
 Universal
x86-64		 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • The universal binary is available only in Tanium Client 7.4.8.1042 or later.
  • Tanium recommends the universal binary for all Mac computers running macOS 11 or later. The universal binary is supported and runs natively on both Intel-based Mac computers running macOS 11 or later and Apple "M" series-based Mac computers.
  • Tanium recommends replacing the x86-64 binary with the universal binary on all Mac computers running macOS 11 or later. However, you cannot upgrade an existing installation of the x86-64 version of the Tanium Client directly to the Universal version. You must first uninstall the existing Tanium Client. If you upgrade the x86-64 client in Client Management, it installs a newer version of the x86-64 client.
  • Tanium Client 7.2.314.3608 and later has a different code signing requirement from earlier versions. If you are creating a Privacy Preferences Policy Control (PPPC) custom payload, see Deploy the Tanium Client to macOS endpoints using the installer.
  • For onboarding macOS endpoints, you can use Tanium™ Mac Device Enrollment. Mac Device Enrollment supports macOS 11 or later. For more information, see Tanium Mac Device Enrollment User Guide.
  • macOS 10.15 Catalina
  • macOS 10.14 Mojave
  • macOS 10.13 High Sierra
 x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
Linux Amazon Linux 2 LTS x86-64
ARM64		 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • ARM64 support is available only in Tanium Client 7.4.7.1130 or later.

  • Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes.
Amazon Linux 1 AMI (2018.03) x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  
Debian 11.x x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
  
Debian 10.x

x86-64

 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063		  
Debian 9.x, 8.x

x86
x86-64

 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  
Oracle Linux 9.x x86-64
ARM64		 7.4.10.1034
7.4.9.1077
7.4.9.1062
  • ARM64 support is available only in Tanium Client 7.4.10.1034 or later.

  • Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes.
Oracle Linux 8.x x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063

  
Oracle Linux 7.x x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  
Oracle Linux 6.x

x86
x86-64

 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
Oracle Linux 5.x

x86
x86-64

 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
  • Red Hat Enterprise Linux (RHEL) 9.x
  • AlmaLinux 9.x
  • Rocky Linux 9.x
 x86-64
ARM64		 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
  • ARM64 support is available only in Tanium Client 7.4.10.1034 or later.

  • Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes.
  • Red Hat Enterprise Linux (RHEL) 8.x
  • CentOS 8.x
  • AlmaLinux 8.x
  • Rocky Linux 8.x
 x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955

  • (CentOS 8.x) CentOS Stream is a separate distribution and is not supported.
  • Red Hat Enterprise Linux (RHEL) 7.x
  • CentOS 7.x
 x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955		  
  • Red Hat Enterprise Linux (RHEL) 6.x
  • CentOS 6.x

x86
x86-64

 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x

x86
x86-64

 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955

  • (CentOS 5.x) CentOS 5.x endpoints are included in summary client health information in Tanium Cloud, but you cannot use Tanium™ Direct Connect to access detailed client health information.

  • TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
  • SUSE Linux Enterprise Server (SLES) 15
  • openSUSE 15.x

x86-64

 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955

  
  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x

x86
x86-64

 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  
Ubuntu 22.04 LTS x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
  
Ubuntu 20.04 LTS x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063		  
Ubuntu 18.04 LTS x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  
Ubuntu 16.04 LTS x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  
Ubuntu 14.04 LTS x86-64 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  
AIX

IBM AIX 7.1 TL4 or later

 POWER 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250

  • The Tanium Client for AIX requires a 64-bit operating system and the IBM XL C++ runtime environment file set (xlC.rte), and the IBM LLVM runtime libraries file set (libc++.rte). For specific requirements for each file set and installation steps, see Deploy the Tanium Client to AIX endpoints using a package file.

  • Summary client health information in Tanium Cloud includes AIX endpoints, but you cannot use Direct Connect to access detailed client health information.

  • The default Client Management action group does not target AIX endpoints.To use Client Management functionality with AIX endpoints, set the Client Management action group to target the computer group All Computers. For more information, see Configuring Tanium Cloud.

  • You cannot download the AIX installer from Tanium Cloud. To obtain the installer for AIX, contact Tanium support.
Solaris
  • Oracle Solaris 11 SPARC
  • Oracle Solaris 11 x86
  • Oracle Solaris 10 U8 SPARC or higher
  • Oracle Solaris 10 U8 x86 or higher

SPARC
x86

 7.4.10.1034
7.4.9.1077
7.4.9.1062
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955

  • The Tanium Client for Solaris requires SUNWgccruntime on Solaris 10 and 11.0–11.3.

  • Summary client health information in Tanium Cloud includes Solaris endpoints, but you cannot use Direct Connect to access detailed client health information.

  • The default Client Management action group does not target Solaris endpoints.To use Client Management functionality with Solaris endpoints, set the Client Management action group to target the computer group All Computers. For more information, see Configuring Tanium Cloud.

  • You cannot download the Solaris installer from Tanium Cloud. To obtain the installer for Solaris, contact Tanium support.

Hardware requirements

The following minimums are recommended to install and run the Tanium Client on endpoints:

  • CPU cores: 2
  • Random-access memory (RAM): 2 GB
  • Available disk space: 1 GB

On an endpoint that does not use functionality from Tanium modules and uses the Tanium Client only for basic visibility and endpoint information, the Tanium Client can function with a single-core CPU. However, overall performance of the endpoint might be reduced.

Virtual desktop infrastructure (VDI) environments: For better performance, provide at least two CPU cores for each VDI instance, even if CPU cores are overprovisioned.

Installed modules or services might require additional RAM and disk space, depending on your usage. Other applications that run on an endpoint require additional CPU, RAM, and disk resources. Contact Tanium support for guidance on specific configurations.

The modules that are listed in the following table have specific additional hardware requirements. Requirements for RAM refer to the minimum installed RAM that the client and all installed modules and services require. Requirements for disk space refer to the additional available disk space that each listed module requires. (For complete endpoint requirements for each listed modules, follow the links in the table. For links to endpoint requirements for all solutions, see Table 3.)

 Table 2: Additional hardware requirements for specific modules
Product Additional available disk space Minimum RAM required
Tanium™ Comply 200 MB 2 GB1
Tanium™ Deploy 2 GB2 2 GB1
Tanium™ Integrity Monitor 1 GB3 4 GB
Tanium™ Map 200 MB 4 GB
Tanium™ Patch 5 GB2 2 GB1,4
Tanium™ Performance 100 MB plus the amount specified in the Database maximum size parameter (1 GB by default)5 2 GB1
Tanium™ Reveal 2 GB3 2 GB1
Tanium™ Threat Response 3 GB3 4 GB

1 This module does not have a specific RAM requirement above the baseline 2 GB of RAM that the Tanium Client requires.

2 If both Deploy and Patch are installed, only 5 GB of additional available disk space is required for both solutions, for client cache space.

3 This solution uses Tanium™ Index and Tanium™ Recorder. Specific disk space requirements for Index depend on the file system on the endpoint, and specific disk space requirements for Recorder depend on the number of events recorded on the endpoint. Depending on these factors, the disk space that is required on the endpoint might be greater than the amount listed here. For Index in particular, a general guideline is that the database size is an additional 1 MB per 1 GB of files on disk.

4 The utilities that Patch uses for scanning use increased RAM for up to several minutes during endpoint scans. If an endpoint must also run other processes that use significant RAM during Patch scans, it might require more RAM than the minimum 2 GB.

5 The Performance database collects approximately 45 MB per day for busy servers and 25-35 MB per day for workstations.

Module and service requirements

Click the links in the following table to see the minimum Tanium Client version (Tanium dependencies) and client endpoint requirements for each Tanium module and shared service.

 Table 3: Solution-specific requirements for
Product Tanium Dependencies
Tanium™ API Gateway

No additional requirements

Tanium™ Asset Core platform dependencies
Tanium™ Benchmark Core platform dependencies
Tanium™ Certificate Manager Core platform dependencies
Tanium™ Client Management
Tanium™ Comply Core platform dependencies
Tanium™ Connect

No additional requirements

Tanium™ Criticality

No additional requirements

Tanium™ Deploy Core platform dependencies
Tanium™ Direct Connect

No additional requirements

Tanium™ Directory Query No additional requirements
Tanium™ Discover Core platform dependencies
Tanium™ Endpoint Configuration

No additional requirements

Tanium™ End-User Notifications Core platform dependencies
Tanium™ Enforce Core platform dependencies
Tanium™ Engage Core platform dependencies
Tanium™ Feed

No additional requirements

Tanium™ Impact Core platform dependencies
Tanium™ Integrity Monitor Core platform dependencies
Tanium™ Interact

No additional requirements

Tanium™ Map Core platform dependencies
Tanium™ Patch Core platform dependencies
Tanium™ Performance Core platform dependencies
Tanium™ Provision Core platform dependencies
Tanium™ Reporting

No additional requirements

Tanium™ Reputation Core platform dependencies
Tanium™ Reveal Core platform dependencies
Tanium™ Threat Response Core platform dependencies
Tanium™ Trends

No additional requirements

Tanium Tanium Cloud dependencies

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium Client: Downloading client installers from Tanium Cloud does not require a pre-existing installation of Tanium Client. Using client profile and client health features, including using Direct Connect to access detailed client health information, requires a supported Tanium Client (see Supported OS versions for Tanium Client hosts).

Client extensions

Tanium Endpoint Configuration installs client extensions for Tanium Cloud on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Tanium Cloud functions:

  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
  • DEC CX - Provides a direct connection between endpoint and Tanium Cloud. Tanium Direct Connect installs this client extension. This is a feature-specific dependency for Tanium Cloud.
  • Discover CX - Performs satellite-based Nmap scans. Tanium Discover installs this client extension. This is a feature-specific dependency for Tanium Cloud.
  • Extras CX - Provides a helper library that contains re-usable functions for various client extensions to use. Tanium Discover installs this client extension. This is a feature-specific dependency for Tanium Cloud.
  • Support CX - Provides the ability to gather troubleshooting content from endpoints through Tanium Client Management. Tanium Client Management installs this client extension.
  • TSDB CX - Collects metrics about the Tanium Client and client extensions. Tanium Client Management installs this client extension.

Endpoint accounts

Tanium Client service account

On Windows, the Tanium Client is installed as a service that must run in the security context of the Local System account.

On AIX, Linux, macOS, and Solaris, the Tanium Client is installed as a system service, which must run with a User ID (UID) of 0.

Network connectivity, ports, and firewalls

TCP/IP requirements for Tanium Client

Tanium Cloud uses TCP/IP to communicate over IPv4 networks. Work with your network administrator to ensure that the endpoints in your environment can reach the Tanium Cloud Client Edge URLs and can use the Domain Name System (DNS) to resolve the host names. For more information, see Tanium Cloud Deployment Guide: Getting started with Tanium Cloud.

Port requirements for Tanium Client and Tanium Cloud

The following ports are required for Tanium Client and Tanium Cloud communication.

 Table 4: Port requirements for Tanium Client
SourceDestinationPort ProtocolPurpose
Tanium ClientTanium Cloud17472TCPUsed for communication between the Tanium Client and Tanium Cloud
Tanium ClientPeer clients17472TCPUsed for communication between the Tanium Client and peer clients
Peer clientsTanium Client17472TCPUsed for communication between the Tanium Client and peer clients
Tanium ClientTanium Client (loopback)17473TCP

Used for the Tanium Client API

This port is used with the loopback interface and usually does not require a firewall rule.

Tanium Clientdistribute.cloud.tanium.com443

TCP (HTTPS)

Outbound communication from the Tanium Client and inbound communication for file part distribution
 Table 4: Port requirements for Tanium Cloud
SourceDestinationPort ProtocolPurpose
Tanium ClientTanium Cloud17486TCPUsed for direct connection to endpoints for detailed client health information

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Some Tanium modules and shared services have additional port requirements for the Tanium Client: see Tanium Cloud Deployment Guide: Solution-specific port requirements.

Work with your network security administrator to ensure that firewalls and security applications do not block port 17472, which the Tanium Client uses for communication with Tanium Cloud, and the port that the client uses for communication with peer clients (default is also port 17472). You can change the port that clients use for peer communication by configuring the ListenPort or EnableRandomListeningPort setting. (See Customize listening ports.) If you do not configure either of these settings, clients default to using port 17472 for peer communication.

The default client peering settings ensure that clients form linear chains only within the boundaries of local area networks (LANs). Therefore, firewalls must allow bi-directional TCP communication on the listening port between clients that are in the same LAN, but not necessarily between all clients across your enterprise wide area network (WAN). For more information about network port requirements in Tanium, see Tanium Cloud Deployment Guide: Host and network security requirements. For more information about client peering settings, see Configuring Tanium Client peering.

  • macOS: The Tanium Client service is signed to automatically allow communication through the default macOS firewall. However, the client installation process does not modify any host-based firewall that is in use. For more information about managing macOS firewalls, see Manage macOS firewall rules.

    On endpoints that run macOS 10.14 (Mojave) or later, you might have to configure a firewall rule to prevent end users from seeing a pop-up for allowing connections during a Tanium Client upgrade. See Manage pop-ups for Tanium Client upgrades.

  • Linux: For more information about managing Linux firewalls, see Manage Linux firewall rules.

  • If you configure the Tanium Client to randomly select a new listening port at intervals, you must configure endpoint firewalls to allow incoming connections on any port that the Tanium Client process requests. For more information, see Randomize listening ports.

  • The port number for the client API is one higher than the client-client listening port, which means that, by default, the API port is 17473. However, if the listening port changes, the API port also changes. For example, if you set ListenPort to 17473, the client API port becomes 17474. Because the API is on the loopback interface (localhost), the API port usually does not require a firewall rule for allowing traffic.

The following figure illustrates a deployment where Tanium Clients have direct endpoint connections to Tanium Cloud over port 17486 for Tanium modules that use the Tanium™ Direct Connect shared service. Therefore, the firewalls must allow traffic on port 17486 as well as port 17472. The clients in virtual private networks (VPNs) do not peer with each other and each of these clients has a leader connection to Tanium Cloud (see Configure isolated subnets). The clients that peer with each other connect to Tanium Cloud through backward and forward leaders at opposite ends of their linear chains.

Figure  1:  Tanium Client connectivity

API access

To access the Tanium Cloud APIs, you must first create an API Token. For more information, see Tanium Console User Guide: Create API tokens.

Use the following URL for Tanium Cloud API access:

URLNotes
<customerURL>-api.cloud.tanium.comThe maximum payload size for API requests and responses is 10 MB.

Host system security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Security exclusions for Tanium Client

Some antivirus (AV) software might require excluding the installation directories of the Tanium Client from real-time inspection. Typically, configuring trusted exclusions also involves setting a policy to ignore the input and output of Tanium binaries. The configuration of these exclusions varies based on the AV software.

The following tools and files have specific requirements for the Tanium Client:

  • Microsoft Group Policy Objects (GPO) or other central management tools for managing host firewalls: Tanium recommends creating rules to allow inbound and outbound TCP traffic across the port that the client uses for Tanium traffic (default 17472) and port 17486 on any managed endpoints. See .

  • Windows Update offline scan file (Wsusscn2.cab): The Tanium Client uses Wsusscn2.cab to assess endpoints for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, see the Microsoft KB for information on configuring those tools to interact appropriately with the Wsusscn2.cab file.

  • McAfee Host Intrusion Detection (in older versions of McAfee security software): Tanium recommends marking the Tanium Client as both Trusted for Firewall and Trusted for IPS.

Some Tanium modules and shared services have their own security exclusions for the Tanium Client. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Table 5 lists Tanium Client directories that Tanium recommends AV software or other host-based security applications exclude from on-access or real-time scans. Include subdirectories of these locations when you create the exception rules. The listed directory paths are the defaults. If you changed the directory locations to non-default paths, create rules that are based on the actual locations.

 Table 5: Security exclusions for Tanium Client directories
Endpoint OSInstallation Directory
Windows (64-bit OS versions)\Program Files (x86)\Tanium\Tanium Client
Windows (32-bit OS versions)\Program Files\Tanium\Tanium Client
macOS/Library/Tanium/TaniumClient
Linux, Solaris, AIX/opt/Tanium/TaniumClient

Tanium recommends that security applications allow (not block, quarantine, or otherwise process) the following system processes. The <Tanium Client> variable indicates the Tanium Client installation directory, which is configurable during client installation.

 Table 6: Security exclusions for system processes on Tanium Client endpoints
Endpoint OSProcess
Windows, macOS, Linux<Tanium Client>/Tools/StdUtils directory or all the files that it contains, including:
  • 7za.exe (Windows) or 7za (macOS, Linux)
  • runasuser.exe (Windows only)
  • runasuser64.exe (Windows only)
  • TaniumExecWrapper.exe (Windows) or TaniumExecWrapper (macOS, Linux)
  • TaniumFileInfo.exe (Windows only)
  • TPowerShell.exe (Windows only)
macOS, Linux, Solaris, AIX<Tanium Client>/TaniumClient
<Tanium Client>/taniumclient
macOS, Linux<Tanium Client>/distribute-tools.sh
<Tanium Client>/TaniumCX
Windows<Tanium Client>\TaniumClient.exe
<Tanium Client>\TaniumCX.exe

Security exclusions for Tanium Cloud

For the Tanium Cloud solution, Tanium recommends the following exclusions.

The <Tanium Client> variable refers to the Tanium Client installation directory, which is configurable during client installation.

 Table 6: Client Management security exclusions
Target DeviceNotesExclusion TypeExclusion
Windows x86 endpointsDuring client installationProcess\Program Files\Tanium\TaniumClientBootstrap.exe
During client installationProcess\Program Files\Tanium\SetupClient.exe
During client installationProcess<Tanium Client>\SetupClient.exe
 File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 Process<Tanium Client>\TaniumCX.exe
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll.sig
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumDiscover.dll
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumDiscover.dll.sig
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumExtras.dll
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumExtras.dll.sig
 File<Tanium Client>\extensions\TaniumTSDB.dll
 File<Tanium Client>\extensions\TaniumTSDB.dll.sig
When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)FolderC:\Program Files\Npcap
When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)Process<Tanium Client>\Tools\Discover\nmap\nmap.exe
Windows x64 endpointsDuring client installationProcess\Program Files (x86)\Tanium\TaniumClientBootstrap.exe
During client installationProcess\Program Files (x86)\Tanium\SetupClient.exe
During client installationProcess<Tanium Client>\SetupClient.exe
 File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 Process<Tanium Client>\TaniumCX.exe
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumDiscover.dll
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumDiscover.dll.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumExtras.dll
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumExtras.dll.sig
 File<Tanium Client>\extensions\TaniumTSDB.dll
 File<Tanium Client>\extensions\TaniumTSDB.dll.sig
When Discover is installed (Distributed level 3, distributed level 4, and satellite profiles only)FolderC:\Program Files\Npcap
When Discover is installed (Distributed level 3, distributed level 4, and satellite profiles only)Process<Tanium Client>\Tools\Discover\nmap\nmap.exe
macOS endpointsDuring client installationProcess/Library/Tanium/TaniumClientBootstrap
During client installationProcess/Library/Tanium/SetupClient
During client installationProcess<Tanium Client>/SetupClient
 File<Tanium Client>/libTaniumClientExtensions.dylib
 File<Tanium Client>/libTaniumClientExtensions.dylib.sig
 Process<Tanium Client>/TaniumCX
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.dylib
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.dylib.sig
When Discover is installed (Distributed level 3, distributed level 4, and satellite profiles only)Process<Tanium Client>/Tools/Discover/nmap/nmap
When Discover is installed (Satellite profiles only)File

<Tanium Client>/extensions/libTaniumDEC.dylib

When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDEC.dylib.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.dylib
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.dylib.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.dylib
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.dylib.sig
 File<Tanium Client>/extensions/libTaniumTSDB.dylib
 File<Tanium Client>/extensions/libTaniumTSDB.dylib.sig
Linux endpointsDuring client installationProcess/opt/Tanium/TaniumClientBootstrap
During client installationProcess/opt/Tanium/SetupClient
During client installationProcess<Tanium Client>/SetupClient
 File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
 Process<Tanium Client>/TaniumCX
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.so
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.so.sig
When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)Folder<Tanium Client>/Tools/Discover/nmap/nmap
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.so
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.so.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.so
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.so.sig
 File<Tanium Client>/extensions/libTaniumTSDB.so
 File<Tanium Client>/extensions/libTaniumTSDB.so.sig
Solaris and AIX endpointsDuring client installationProcess/opt/Tanium/TaniumClientBootstrap
During client installationProcess/opt/Tanium/SetupClient
During client installationProcess<Tanium Client>/SetupClient

User role requirements for Tanium Cloud

The following tables list the role permissions required to use Tanium Cloud. To review a summary of the predefined roles, see Set up Tanium Cloud users.

For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

 Table 7: Tanium Cloud user role permissions
PermissionClient Management DownloaderClient Management Operator1Client Management Upgrade Operator

Client-Management Direct

Connect to an endpoint using Direct Connect and read data from that endpoint


CONNECT

Client-Management Index Configuration

Manage client Index configurations


READ
WRITE
DEPLOY

Client-Management Settings Configuration

Manage client settings configurations


READ
WRITE
DEPLOY

Client-Management Upgrade

Manage and run client upgrades


READ
WRITE
READ
WRITE
RUN

Client-Management

Download installation packages for the Tanium Client


OPERATE
OPERATE

Clientmanagement

View the Tanium Cloud workbench


SHOW
SHOW
SHOW

1 This role provides module permissions for Tanium Direct Connect. You can view which Direct Connect permissions are granted to this role in the Tanium Console. For more information, see Tanium Direct Connect User Guide: User role requirements.

2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium™ Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

 

 Table 8: Provided Tanium Cloud Administration and Platform content user role permissions
PermissionRole TypeClient Management DownloaderClient Management OperatorClient Management Upgrade Operator
Action GroupAdministration
READ
Filter GroupPlatform Content
READ
READ
READ
PluginPlatform Content
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
Saved QuestionPlatform Content
READ
READ
READ
SensorPlatform Content
READ
READ
READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

 

To configure a user who can only view client health information and connect to endpoints to access detailed client health and troubleshooting information, assign the following roles:

  • Direct Connect User
  • A custom role with the following permissions:
    • Clientmanagement Show
    • Client-Management Direct Connect
    • Client-Management View Health

For information about creating a custom role, see Tanium Console User Guide: Configure a custom role, and for information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

For more information and descriptions of content sets and permissions, see Tanium Core Platform User Guide: Managing roles.